Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

ChaosVPN:MacOSXHowto

From CCCHHWiki
Jump to: navigation, search

Back

Note:
ChaosVPN is a VPN to connect Hackers and Hackerspaces - it does NOT provide anonymous internet access!
For this look at tor or other similar services.

It will also not help you to reach domains like .rdos, .lll, .clos or any other strange things supposed to be available on the "dark web".

Alternative: If you prefer BGP, you can also connect via https://dn42.net/, we are interconnected.

How to install on OS X, as done on 10.14 (Mojave)

Error creating thumbnail: Unable to save thumbnail to destination

Installation

Install tinc, openssl and tuntap via homebrew

brew cask install tuntap && brew install tinc openssl

Install tinc and tuntap via macports

port install tuntaposx && port install tinc && port load tuntaposx

The tuntap package requires some manual work with root permissions

# ==> Caveats
# In order for TUN/TAP network devices to work, the tun/tap kernel extensions
# must be installed by the root user:
 sudo cp -pR /usr/local/Cellar/tuntap/20111101/Library/Extensions/tap.kext /Library/Extensions/
 sudo cp -pR /usr/local/Cellar/tuntap/20111101/Library/Extensions/tun.kext /Library/Extensions/
 sudo chown -R root:wheel /Library/Extensions/tap.kext
 sudo chown -R root:wheel /Library/Extensions/tun.kext
 sudo touch /Library/Extensions/
# To load the extensions at startup, you have to install those scripts too:
 sudo cp -pR /usr/local/Cellar/tuntap/20111101/tap /Library/StartupItems/
 sudo chown -R root:wheel /Library/StartupItems/tap
 sudo cp -pR /usr/local/Cellar/tuntap/20111101/tun /Library/StartupItems/
 sudo chown -R root:wheel /Library/StartupItems/tun
# To load the extensions now:
 sudo kextload /Library/Extensions/tap.kext
 sudo kextload /Library/Extensions/tun.kext


The homebrew formula for tinc also got a bug, it fails to create a neccessary directory. You've got to do this manually as well.

 mkdir -p /usr/local/Cellar/tinc/1.0.35/var/run/

Download

Download and install chaosvpn from git

git clone git://github.com/ryd/chaosvpn.git
cd chaosvpn
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"
make
sudo make appleinstall


Generate keys

Configure chaosvpn, which works mostly as described below.

Note that brew installs tinc 1.0.x, and it installs it to /usr/local, so the commands to generate the keys are:

mkdir -p /usr/local/etc/tinc/chaos
tinc --net=chaos --generate-keys=2048


Registration

You should now register with the chaosvpn team.

Devise a network-nick and a unique IP range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running,
not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it. Note that only lowercase letters are supported.

Second please select an unused IPv4 range out of IP Range, and write yourself down in that wiki page to mark your future range as in-use.
Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to the list at IP Range to mark your range as used.

Used below where <ipv4 subnet in the vpn> is.

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet),
you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN,
or a private IPv6 ULA (Unique Local Address) network described in RFC4193.
For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .

Used below where <ipv6 subnet in the vpn> is.

Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Better supply a hostname than a raw IP address even if it is static, so you can change it youself and do not need to contact us when needed. (Perhaps something like chaosvpn.yourdomain.example)

Used below where <clienthost> is.

Generate keys

Generate keys with tinc 1.1+

# tinc --net=chaos init <nodename>

Replace <nodename> with the name your new node should get.

**FIXME** need some way that "tinc init" puts the public key into the seperate files and not only into the generated hosts file, which our chaosvpn daemon overwrites.

generate public/private RSA and ECDSA keypairs with

# tinc --net=chaos generate-keys 2048

press Enter 4 times and backup the files /etc/tinc/chaos/ecdsa_key.priv, ecdsa_key.pub, rsa_key.priv and rsa_key.pub on an external device.

Generate keys with tinc 1.0.xx

create chaos config folder with

# mkdir /etc/tinc/chaos/

generate public/private keypairs with

# tincd --net=chaos --generate-keys=2048

press Enter 2 times and backup the files /etc/tinc/chaos/rsa_key.priv and rsa_key.pub on an external device.

Mail us your Infos

  • send via email to chaosvpn-join@hamburg.ccc.de

We need the following info - but please be so kind and also add a short description of you/your space and your motivation to join chaosvpn - or at least make us laugh. :)

(Please remove all lines starting with # from the email, they are just descriptions)

[<nodename>]

sponsor=
# Name a person/nickname/nodename or organisation/hackerspace already on ChaosVPN that will
# vouch for you getting access.

gatewayhost=<clienthost>
# This should be the external hostname or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
# If possible supply a hostname (even dyndns) and not an ip address for easier changing
# from your side without touching the central config.

network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>
# (mandatory, must include)
# this may be more than one, IPv4 or IPv6, network6 with  IPv6 is optional
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on ChaosVPN:IPRanges, and add yourself there.

owner=
# (mandatory, must include)
# Admin of the VPN gateway, with email address - a way to contact the responsible
# person in case of problems with your network link.

port=4712
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 should accept TCP and UDP traffic from internet.

hidden=0
# (optional)
# "I cannot accept inbound tunnel connections, I can only connect out."
# (e.g. behind a NAT)
silent=0
# (optional)
# "I cannot connect out, but you can connect to me."
# Only ONE of hidden=1 or silent=1 is possible. 

Ed25519PublicKey=<something>
# (optional)
# tinc 1.1pre11+ only, contents of your /etc/tinc/chaos/ed25519_key.pub

-----BEGIN RSA PUBLIC KEY-----
....
-----END RSA PUBLIC KEY-----
# (mandatory)
# rsa-public-key - contents of your /etc/tinc/chaos/rsa_key.pub


Awaiting Response, give us some days, your request is processed manually

Retry until $success or $reject - but do not spam us.


Configure

The configuration file for chaosvpn is located in /usr/local/etc/tinc and may be edited by

sudo nano /usr/local/etc/tinc/chaosvpn.conf

You've got to change $my_peerid and $my_vpn_ip.


Configure nameserver

To use ChaosVPN's nameserver for .hack tlds, create the file /etc/resolver/hack containing the following line

nameserver 172.31.0.5


Run

To run it immediately, you can try

sudo ./chaosvpn

Or create a LaunchDaemon to automatically run at system boot.

sudo nano /Library/LaunchDaemons/de.ccc.hamburg.wiki.chaosvpn.plist

Insert this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>KeepAlive</key>
    <true/>
    <key>Label</key>
    <string>de.ccc.hamburg.wiki.chaosvpn</string>
    <key>ProgramArguments</key>
    <array>
        <string>/path/to/chaosvpn/chaosvpn</string>
    </array>
</dict>
</plist>

To launch chaosvpn now, run:

sudo launchctl load -w /Library/LaunchDaemons/de.ccc.hamburg.wiki.chaosvpn.plist

(There is a tool for faster reconnects after network interruptions)

Some example uses to try if your connection is alive

  1. ifconfig tun0
    the output should be something like
    tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 172.31.1.13 --> 172.31.255.254 netmask 0xffffffff
    open (pid 11693)
  2. ping 172.31.0.5
    pings the dns server
  3. Access a ChaosVPN internal web page in your browser
  4. Have a look at the service list